One third of Firefox users vulnerable to known flaws; IE and Chrome continue to gain share

An alarming number of Firefox users appear to be sticking with old versions.

Microsoft's Internet Explorer and Google's Chrome both gained market share during April, with Mozilla Firefox and Apple's Safari losing out. The Firefox numbers are bad news for another reason, too: Firefox users are leaving themselves open to exploitation with about a third appearing to use obsolete, unpatched versions of the browser with known security flaws.

Mozilla, meanwhile, continues to see Firefox's market share drop. At current rates, Firefox will represent less than one in five Internet users next month. It seems that new computer users simply aren't using the Mozilla browser as much as users of old machines. By the end of last month, Windows 7 users showed high uptake of both Internet Explorer 9 (35.5 percent of users) and Chrome 18 (21.0 percent of users). Firefox 11/12, however, managed to pick up only 15.3 percent of users. A few Windows 7 users might be sticking with old versions of Firefox, but this is unlikely to be common: only the Extended Support Release of Firefox 10 and latest Firefox 12 are actively maintained and supported. Windows 7 buyers are still interested in non-Microsoft browsers; they just seem to want Google's browser more than Mozilla's.

March was a bumper month for Internet Explorer 9 usage, as it leapt by 2.6 points. April was rather quieter: that version's share grew, but it only picked up 0.71 points. Internet Explorer 8 also gained, picking up 0.49 points. Pleasingly for Web developers, both Internet Explorer 6 and 7 lost share, falling by 0.44 and 0.48 points respectively. Microsoft is continuing to advertise the newest version of its browser, and continuing, belatedly, to push automatic updates for the browser.

April was an important month for Firefox's updates, though you wouldn't know it from looking at its adoption graph. Firefox 12 was released on April 25th. This had two effects. First, Firefox 12 includes a streamlined update system for Windows users. Upgrading Firefox no longer triggers a UAC prompt; you simply restart the browser and the new version automatically installs. The process still isn't seamless the way Chrome's updates are, but it's a lot less invasive and a lot more convenient than it once was.

Also triggered by the release of Firefox 12 is the end of support for Firefox 3.6.x. Firefox users wanting to receive security updates must now install either the Firefox 10 Extended Service Release, or Firefox 12. Unfortunately, Firefox has a long tail of non-upgraders. 5 percent of Firefox users are still using a 3.5 (or older) build; 3.5 was last updated on April 28th, 2011. Another 16 percent of Firefox users are still on versions 4 through 9, which similarly aren't receiving security updates. Even assuming that all Firefox 10 users are on the latest ESR build, fully 33 percent of Firefox users are using a version of the browser with known security flaws.

Chrome's consistent, high-uptake updates continue to be unmatched by its rivals. If nothing else, this shows the importance of having automatic updates from day one: it makes it much harder for people to get stuck on old, manually-updated versions of the software. There does remain a hardcore set of 12 percent of Chrome users that insist on using ancient versions of the browser, however.

The mobile browsing market continues to show considerable volatility. Android's browser is starting to pull away from Opera Mini, but Safari remains dominant. Net Market Share reports that the iPad has overtaken the iPhone; although there are far more iPhones in people's hands than there are iPads, the browsing experience of the tablet is, unsurprisingly, preferred to that of the phone.

Google's dominance at Ars continues unabated, with both Chrome and Android stretching their leads.

"Even assuming that all Firefox 10 users are on the latest ESR build, fully 33 percent of Firefox users are using a version of the browser with known security flaws."

Fucking luddites. Those 3.5/3.6 users are as bad as IE6 home users in my eyes.

I bet they really care. You know everyone really cares about how they look in the eyes of "fucking arseholes". Just like Dotzler and FF care about how every "rapid release" seems to break yet one more component of the only reason to use FF, its extensions. Same blinkered, idiotic, techie stupidity. Techies should stick to hardware, they're totally "fucking idiots" at fleshware. Which is why they'll mostly end up tinkering in a corner somewhere while people with more useful skills actually run the business.

"Even assuming that all Firefox 10 users are on the latest ESR build, fully 33 percent of Firefox users are using a version of the browser with known security flaws."

Fucking luddites. Those 3.5/3.6 users are as bad as IE6 home users in my eyes.

I blame Mozilla more than the users. Not fixing plugins and their memory leaks on time, and not working on plugin compatibility on update really hurt. More recently, fucking around with the interface when auto-update was probably a more useful feature to spend effort on. OK the interface guys don't work on auto-update. Fire them, it's not like they're doing very much good anyway. Hire developers who will be appropriate to work on auto-update. Chrome has had silent update for over a year at least.

I'm a pissed off Firefox user. As a web developer, the last thing I want to see is IE gaining. Ugh...

I wanted to like Chrome. Seeing as I user Google's online services for everything else - it just made sense. But dammit if that UI just feels so damn constrained compared to FF. Don't get me started on IE9. I was also interested to see that the differences between desktop browser visiting Ars vs the mobile versions.

As for the security vulnerabilities in FF - of course that's more pronounced when using older versions. Same goes for any piece of outdated software. I adjusted to the new FF since 3.6 though. It wasn't that hard and I ended up enjoying the added features - pinned & grouped tabs etc.

Never got why it is so hard for people to update. When there is an update available it tells you. You hit "update". Update done. What the hells the problem?

I can understand nasty bureaucracies like offices where there is an IT guy who has to oversee the updates and make sure for compatibility ...and just the plain "I don't want to deal with it if it breaks anything, they're better off as they are" ambivalence.

The disdain for the average joe never shocks me on Ars. He's the idiot because he uses what works and doesn't want to upgrade his browser every 3 weeks, or root his phone to upgrade to ice cream sundae or whatever.

Maybe they are too busy actually using the product instead of upgrading. its an amazing world out there when you spend less time patching and upgrading and more time doing the things you enjoy....

"Even assuming that all Firefox 10 users are on the latest ESR build, fully 33 percent of Firefox users are using a version of the browser with known security flaws."

Fucking luddites. Those 3.5/3.6 users are as bad as IE6 home users in my eyes.

I bet they really care. You know everyone really cares about how they look in the eyes of "fucking arseholes". Just like Dotzler and FF care about how every "rapid release" seems to break yet one more component of the only reason to use FF, its extensions. Same blinkered, idiotic, techie stupidity. Techies should stick to hardware, they're totally "fucking idiots" at fleshware. Which is why they'll mostly end up tinkering in a corner somewhere while people with more useful skills actually run the business.

Lol I see you have an inferiority complex and have been made to feel useless by yourself around your office, or have been called out for your lack of knowledge and/or have an apathy towards improving so instead you choose to lash out at what "threatens" you.

I'm surprised to see that IE only has a 3.5% share of Ars mobile visits. For as heated as some of the WP7 threads get, I would have expected 15-20%.

On the other hand, the context-sensitive back button drove me insane. I've recently been able to abandon the employer-provided WP7 device, and it is nice to be free of all of the minor frustrations that it provided.

I blame Mozilla more than the users. Not fixing plugins and their memory leaks on time, and not working on plugin compatibility on update really hurt. More recently, fucking around with the interface when auto-update was probably a more useful feature to spend effort on. OK the interface guys don't work on auto-update. Fire them, it's not like they're doing very much good anyway. Hire developers who will be appropriate to work on auto-update. Chrome has had silent update for over a year at least.

I'm a pissed off Firefox user. As a web user, the last thing I want to see is IE gaining. Ugh...

Mostly this. Though I think Chrome is gaining because the extension field is much more nascent, if even present (I don't keep up on Chrome as much as Firefox development). So they more or less keep it all simple, and of course the streamlined silent update works a hell of a lot better than Firefoxs' did until very recently.

Just like Dotzler and FF care about how every "rapid release" seems to break yet one more component of the only reason to use FF, its extensions. Same blinkered, idiotic, techie stupidity. Techies should stick to hardware, they're totally "fucking idiots" at fleshware. Which is why they'll mostly end up tinkering in a corner somewhere while people with more useful skills actually run the business.

You realize addon compatibility has been a near complete non-issue since firefox 10, right? That was 3 months ago.

Never got why it is so hard for people to update. When there is an update available it tells you. You hit "update". Update done. What the hells the problem?

I can understand nasty bureaucracies like offices where there is an IT guy who has to oversee the updates and make sure for compatibility ...and just the plain "I don't want to deal with it if it breaks anything, they're better off as they are" ambivalence.

As an IT worker for one of those 'nasty bureaucrasies', we have to use an older (locked-down version) of IE for compliance/compatabilities. :-p

Never got why it is so hard for people to update. When there is an update available it tells you. You hit "update". Update done. What the hells the problem?

I can understand nasty bureaucracies like offices where there is an IT guy who has to oversee the updates and make sure for compatibility ...and just the plain "I don't want to deal with it if it breaks anything, they're better off as they are" ambivalence.

For some people, automatic updates have caused a lot of headaches -- not just from Firefox, but other software as well. Once you get hosed by an update, you're going to be a lot less likely to go along with automatic updates in the future with any software. The problem with Firefox specifically is that if they do (and they have) release a version with a major bug(s), there is no easy way to go back to the last stable version. So during the time you are hosed with a critical bug that the latest update introduced, you're likely to either switch browsers, or if you can get your hands on an older version, you're going to think long and hard about automatic updates in the future.

Of course, if you've one of the lucky ones who have never been burned by an update, then it does seem puzzling why everyone doesn't do it -- and you'll probably continue to berate the people who have had problems right up until an update bites you in the arse. Maybe then you'll understand what some of the rest of us have had to go through...

For some people, automatic updates have caused a lot of headaches -- not just from Firefox, but other software as well. Once you get hosed by an update, you're going to be a lot less likely to go along with automatic updates in the future with any software. The problem with Firefox specifically is that if they do (and they have) release a version with a major bug(s), there is no easy way to go back to the last stable version. So during the time you are hosed with a critical bug that the latest update introduced, you're likely to either switch browsers, or if you can get your hands on an older version, you're going to think long and hard about automatic updates in the future.

Of course, if you've one of the lucky ones who have never been burned by an update, then it does seem puzzling why everyone doesn't do it -- and you'll probably continue to berate the people who have had problems right up until an update bites you in the arse. Maybe then you'll understand what some of the rest of us have had to go through...

Heh, I was working IT for a Northern CA school district back when they transitioned from IE6 to IE7. There were so many incompatibility issues that we had to write a script to revert back to IE6. Those were the days. :-p

Anyone else find it amazing that Opera Mini is in the same ballpark as Android's browser? Is there a mobile OS that Opera Mini is particularly strong on?

I suspect part of Android's uptake issue may be that some Android phones and other browsers masquerade as the iPhone browser since some sites still only serve their mobile versions to iOS. It's also a native option on Android (and Windows Phone) to use a desktop user agent, which will also drive the represented Android share down.

I read all of the available comments before posting, just to be sure, and all I have to say is that the title is confusing. Count my posts where I complain about the title of the article, I bet they'll be almost nonexistent. Anyways, I might suggest a better way to convey that the security flaws are not directly related to the gains in IE and chrome market share. Perhaps a semicolon would help.

As written, it seems that the IE and chrome are gaining in security vulnerabilities as well. See: http://www.google.com/search?q=seana+co ... ent=safari This is the ars I know and love, and honestly was nearly equal to my college education in teaching me to think based on the structure/form of what was being said rather than the "hand wave" content. I hope ars doesn't become another sensationalist rag. I have too much invested in it to see it turn into that. I also have a keen awareness of the limited being of people, including the writers, and hope they realize the charge of writing for a publication that I hold in (globally/universally) high esteem, and that ars can continue to maintain the high quality of writing that brought me to the site in the first place. Keep the peace, brother man.

"There does remain a hardcore set of 12 percent of Chrome users that insist on using ancient versions of the browser, however."

This probably doesn't account for the full 12%, but Linux users with the Chromium browser are probably detected / included in the Chrome statistics, however Chromium doesn't have the same awesome automatic update feature. I would guess that some of that 12% are Linux users with old Linux distributions?

Never got why it is so hard for people to update. When there is an update available it tells you. You hit "update". Update done. What the hells the problem?

I can understand nasty bureaucracies like offices where there is an IT guy who has to oversee the updates and make sure for compatibility ...and just the plain "I don't want to deal with it if it breaks anything, they're better off as they are" ambivalence.

My office is going to FF instead of going to FF10 we are moving to FF8, fucking weird.

theJonTech wrote:

The disdain for the average joe never shocks me on Ars. He's the idiot because he uses what works and doesn't want to upgrade his browser every 3 weeks, or root his phone to upgrade to ice cream sundae or whatever.

Maybe they are too busy actually using the product instead of upgrading. its an amazing world out there when you spend less time patching and upgrading and more time doing the things you enjoy....

A browser with unpatched security flaws is not a browser that works, sorry.

Anyone else find it amazing that Opera Mini is in the same ballpark as Android's browser? Is there a mobile OS that Opera Mini is particularly strong on?

I suspect part of Android's uptake issue may be that some Android phones and other browsers masquerade as the iPhone browser since some sites still only serve their mobile versions to iOS. It's also a native option on Android (and Windows Phone) to use a desktop user agent, which will also drive the represented Android share down.

There's always an excuse for Android's lack of browsing market share.Does Android also mask purchases from the app stores as well? Or is there another excuse for that?

I blame Mozilla more than the users. Not fixing plugins and their memory leaks on time, and not working on plugin compatibility on update really hurt. More recently, fucking around with the interface when auto-update was probably a more useful feature to spend effort on. OK the interface guys don't work on auto-update. Fire them, it's not like they're doing very much good anyway. Hire developers who will be appropriate to work on auto-update. Chrome has had silent update for over a year at least.

I'm a pissed off Firefox user. As a web user, the last thing I want to see is IE gaining. Ugh...

Mostly this. Though I think Chrome is gaining because the extension field is much more nascent, if even present (I don't keep up on Chrome as much as Firefox development). So they more or less keep it all simple, and of course the streamlined silent update works a hell of a lot better than Firefoxs' did until very recently.

Using Firefox 13 beta right now. BLEEDING EDGE!

blame mozilla for other devs bad code, nice logic. you cannot "fix" persistent attempts of others at breaking your work, you can only lessen its effects, the fact that they have ever made any significant progress in achieving this is already a testiment to their competence and dedication. there's nothing "simple" about auto update, or a fully open platform that allows 3rd party extensions anyone can contribute to. they're doing a fine job of making things easy for everyone imo, if you can't handle manual updates and managing extensions, then don't use firefox. why would you even compare a platform this powerful and flexible to a stripped down idiot proof app like chrome? if you want a no-brainer then that's what you use, this is the simple part.

they are in the same age old conundrum as every other open software dev that the public relies on for a reasonable amount of security, if they force silent updates to clients then half of you are going to whine about broken extensions and modifying your install without permission. if they don't force updates then the other half whines about them not automating simple tasks that you could accomplish yourself in a few clicks. damned if they do, damned if they don't, and people are not smart enough to consider they're working on a timeline that affects an entire dev community, not just their own client. auto-update was a huge step that they obviously did not take lightly, no matter how much you take it for granted.

you cannot fix stupid, maybe this is what people are really asking for.

Firefox 13 beta is really nice. Its memory usage is very good(now) and even beats Chrome(running the same tabs) by a substantial amount. Its also faster with lot's of tabs, font's look better, runs real Noscript and uses D2D better than Chrome.

Chrome is a good browser but it still has issues like all the others. I stopped putting it on peoples computers after the Google privacy shift and the Vupen thing. Its nice to be back using Firefox especially now that it auto updates.

My company refuses to use anything newer than Firefox 9. Starting from 10, they started breaking the ability to use self-signed SSL certificates. 3ware web admin stopped working in 10 because of this. Our internal & development servers stopped working under Firefox 11.

Chrome has had this issue way early ... probably starting version 2.

Sorry but we're not paying $200 per internal server. And we can't even do that for 3ware web admin even if we wanted to.

My company refuses to use anything newer than Firefox 9. Starting from 10, they started breaking the ability to use self-signed SSL certificates. 3ware web admin stopped working in 10 because of this. Our internal & development servers stopped working under Firefox 11.

Chrome has had this issue way early ... probably starting version 2.

Sorry but we're not paying $200 per internal server. And we can't even do that for 3ware web admin even if we wanted to.

Create an enterprise CA (Windows Server or openssl are both fine for this). Add the CA's certificate to the Trusted CA store of all the machines. Use the CA to generate certificates for all your internal services.

My company refuses to use anything newer than Firefox 9. Starting from 10, they started breaking the ability to use self-signed SSL certificates. 3ware web admin stopped working in 10 because of this. Our internal & development servers stopped working under Firefox 11.

Chrome has had this issue way early ... probably starting version 2.

Sorry but we're not paying $200 per internal server. And we can't even do that for 3ware web admin even if we wanted to.

Anyone else find it amazing that Opera Mini is in the same ballpark as Android's browser? Is there a mobile OS that Opera Mini is particularly strong on?

Opera Mobile and Mini offer some fringe benefits to some users on smartphones but they're no substitute for the built-in browser. I can only speculate that the high usage stems from dumbphones running the Java version. I used it before upgrading phones and put it on every feature phone with a web connection I could get my hands on. It revolutionises internet browsing for those on old phones and everyone loved it. But that's because feature phones' browsers are, by and large, crap.

***

On the subject of automatic updates, I never never never enable them for Windows and am looking to turn it off in Chrome. The previous version had some weird bug that rendered it very frustrating to use on 90% of websites. It got fixed, eventually, but till I tied it to the silent update, I thought it was corrupted or something. Very frustrating considering it usually "just works".

It looks like FF10 users are upgrading to FF11 at the same rate FF9 users upgraded to 10. That's interesting because some FF10 users are on the ESR release which is not rapid release, it is stable for a whole year with only security updates. I guess this means that in practice, very few people actually want a more slowly-updating browser?

It looks like FF10 users are upgrading to FF11 at the same rate FF9 users upgraded to 10. That's interesting because some FF10 users are on the ESR release which is not rapid release, it is stable for a whole year with only security updates. I guess this means that in practice, very few people actually want a more slowly-updating browser?

More likely those luddites have had their corporate firewalls blocking at an older version.

<delusions type="pointy haired IT management">Only IE is actaully targetted by viruses so why should we waste time and money testing new versions of any other browser on our intranet.</delusions>